In Grouper 2.3+ there is support for privileges inheritance in the new UI. Inherited privileges were previously available by assigning attributes in a specific way or by using GSH. Note: inherited privileges are also displayed in the normal privilege screens. If they are removed from the object privilege screen, they will be automatically reassigned within a period of time (e.g. within a day, when the rule daemon runs which is configurable).
Grouper Privileges (ADMIN, UPDATE, READ, VIEW, etc.) are defined in the Grouper Glossary.
There are 7 screens to control and view inherited privileges.
In grouper newer than these patches:
These Jiras are implemented:
GRP-1663: inherited privileges should revoke those privileges to subobjects
GRP-1664: do not add admin privileges to root or wheel when creating objects
GRP-1665: do not add admin privileges to inherited admins
GRP-1667: a folder inherited privilege should apply to the assigned folder
On a folder screen, if you are an ADMIN (and you can manage inherited privileges, see below), you can click "More -> Privileges inherited to objects in folder"
Click "Add members" to add a new inherited privilege
Select a member and the type to "Assign to" (which could be multiple types at once)
You can delete direct inherited privileges (which are assigned to this folder). To delete inherited indirect entries, click on that folder and delete from there
If you are an ADMIN of a group and can view inherited privileges, pull a group up on the UI and click "More -> This group's privileges inherited from folders"
If you are an ADMIN of a folder and can view inherited privileges, pull a folder up on the UI and click "More -> This folder's privileges inherited from ancestor folders"
If you are an ADMIN of an attribute definition and can view inherited privileges, pull an attribute definition up on the UI and click "More -> This attribute's privileges inherited from ancestor folders"
If you can view inherited privileges, pull an entity up on the UI and click "More -> This subject's privileges inherited from folders"
This is similar to seeing privileges assigned to a subject. Its a little confusing. This is not the privileges of this group that are affected by inherited privileges.
If you can view inherited privileges, pull a group you can VIEW up on the UI and click "More -> This subject's privileges inherited from folders"
View all inherited privileges in the registry that you are allowed to see.
Click on Miscellaneous (if you can see inherited privs you will see this link)
Click "Inherited privileges"
This section describes who is allowed to view or assign inherited privileges.
In order to see rules configuration for inherited privileges on the UI, you need to be able to be an admin (stemAdmin) on a folder which is affected by the rule. If you want fewer people to be able to see the rule, you can adjust these in grouper.properties.
# require admin (GrouperSysAdmin or wheel group) to update inherited privileges uiV2.privilegeInheritanceUpdateRequireAdmin = false # require admin (GrouperSysAdmin or wheel group) to read inherited privileges uiV2.privilegeInheritanceReadRequireAdmin = false # require admin (GrouperSysAdmin or wheel group) to update inherited privileges uiV2.privilegeInheritanceUpdateRequireGroup = # require admin (GrouperSysAdmin or wheel group) to read inherited privileges uiV2.privilegeInheritanceReadRequireGroup =
Note, you dont need to be able to read attributes on the assigned (parent or ancestor folder) to be able to see the privilege inheritance. You also do not need privileges on rule attributes. If you want to require rules attributes privileges set this in the grouper-ui.properties.
# if this is true you dont even need to be able to uiV2.privilegeInheritanceDoesntRequireRulesPrivileges = false
If that is set to false, then to see the inherited privileges, you need to be able to READ the two attributeDefs for rules type and attributes
You can control the global screen (note, there is no paging as of 2.3.0)
# if show miscellaneous link uiV2.showMiscellaneousLink = true # if show global inherited privileges link uiV2.showGlobalInheritedPrivilegesLink = true